FDA Warns of Cybersecurity Vulnerabilities in Certain DNA Sequencing Devices

Several models of Illumina DNA sequencing devices have cybersecurity flaws that could allow hackers to access patient information, warns FDA

Federal health officials are warning medical facilities that certain diagnostic DNA sequencing devices contain software vulnerabilities, which could make them susceptible to cybersecurity hacks.

The U.S. Food and Drug Administration (FDA) and the Cybersecurity & Infrastructure Security Agency (CIS) issued a medical device cybersecurity warning on April 27, indicating that certain DNA sequencing devices manufactured by Illumina have software security flaws that could allow hackers to control the devices and access private patient information remotely.

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced. Since 2014, the U.S. Department of Homeland Security (DHS) has investigated dozens of suspected cybersecurity flaws in medical devices and hospital equipment.

Critical-Rated Software Flaw Could Destroy Patient Test Results

In the latest warning, FDA officials identified vulnerabilities in Illumina’s iScan, iSeq, Miniseq, MiSeq, MiSeqDx, NextSeq, and NovaSeq diagnostic DNA sequencing devices. The devices are used in a clinical diagnostic setting for research purposes, or to screen patients for various genetic disorders.

The warning outlines two cybersecurity vulnerabilities related to the devices, which if exploited, could allow hackers to take control of the devices remotely, alter network settings and configurations, and run harmful code that allows access to sensitive patient data.

The first security flaw being tracked is titled CVE-2023-1968. The flaw was given the maximum vulnerability rating of 10 out of 10, making it a “critical” threat to patients. The flaw allows hackers to potentially access the devices online without a password, which could allow a bad actor to alter or delete DNA sequencing device test results.

The second security flaw being tracked is CVE-2023-1966, which was given a vulnerability severity rating of 7.4 out of 10. This flaw could allow hackers to upload and run their own malicious code designed to alter network setting configurations on the devices. Officials warned this could allow hackers to obtain private patient data.

While neither the FDA nor Illumina have received any reports of hackers exploiting the cybersecurity vulnerabilities,  Illumina has issued a software patch to strengthen network security on its affected DNA sequencing devices. It also sent notifications to potentially affected customers, advising them to check their products for signs of potential unauthorized activity.

The FDA is also urging healthcare providers and clinical laboratory personnel to download the manufacturer’s software patch immediately and report any suspected hacking activity on their devices to federal officials.

Dozens of Other Medical Device Security Flaws Identified

The FDA and other federal security agencies, such as the Department of Homeland Security (DHS), have issued warnings on at least two dozen similar medical device and hospital equipment cybersecurity flaws since 2014.

Last year the FDA released a warning on a potentially deadly cybersecurity problem with the Medtronic MiniMed 600 insulin pump. The flaw allowed for an unauthorized users to deliver fatal insulin doses to diabetic patients using the devices. This cybersecurity failure, along with a series of recalls, led to several wrongful death lawsuits filed on behalf of patients who suffered serious injury or death as a result of the Medtronic MiniMed product malfunction.